Meraki

Community

Failover for non Meraki vpn peer

carlto
Comes here often
‎Oct 24 2024 3:24 AM
‎Oct 24 2024 3:24 AM

Failover for non Meraki vpn peer

Hi All

Is it possible in Meraki to add a second peer for a site to site vpn for failover? we have a meraki firewall and the other end is an ASA with 2 public ip addresses, if the primary link on the ASA fails we want the Meraki to fail over to the ASAs second public IP, is this possible?

Cheers

Labels:
0 Kudos
5 Replies 5
MartinLL
Building a reputation
‎Oct 24 2024 3:59 AM
‎Oct 24 2024 3:59 AM

if you plan on doing it without BGP you would need to do something like this.

Tag-Based IPsec VPN Failover - Cisco Meraki Documentation

 

When you configure two static tunnels towards the same network segment the traffic will flow across both tunnels at random i think.

 

A better solution would be to do site to site with BGP peering. It's available from MX19.1 and up, so quite fresh. But it could be worth looking into.

MLL
In response to MartinLL
carlto
Comes here often
‎Oct 24 2024 4:11 AM
‎Oct 24 2024 4:11 AM

The Tag based one looks a little overkill and complex for a simple task, the BGP idea might be better, would this be using VTI tunnels then ?

0 Kudos
In response to carlto
MartinLL
Building a reputation
‎Oct 24 2024 4:36 AM
‎Oct 24 2024 4:36 AM

How exactly how Meraki handles tunnels is unknown to me sadly. But i read somewhere that the MX only does policy based VPN.

MLL
0 Kudos
In response to carlto
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Oct 25 2024 6:00 AM
‎Oct 25 2024 6:00 AM

As of now the tunnels are policy-based VPN tunnels, so no VTI.

Tag based failover is the only way for the moment.

0 Kudos
IvanJukic
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
‎Nov 1 2024 4:02 AM
‎Nov 1 2024 4:02 AM

Hi @carlto ,

This might interest you 😉

"BGP peering over IPsec VPN tunnels can be enabled on the Meraki Security Appliance. This unlocks new dynamic routing use cases for customers in addition to enabling resiliency and redundancy over IPsec VPN peers. "

 

https://documentation.meraki.com/MX/Site-to-site_VPN/BGP_routing_over_IPsec_VPN

 

 

 

 


Cheers,

Ivan Jukić,
Meraki APJC

If you found this post helpful, please give it kudos. If it solved your problem, click "accept as solution" so that others can benefit from it.
0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.